pf ruleset question

[Mario Doria]

Hi all,

I was reading a pf ruleset example at 
http://www.openbsd.org/faq/pf/example1.html when I noticed this:

(1) pass in  on $int_if from $int_if:network to any keep state
(2) pass out on $int_if from any to $int_if:network keep state

(3) pass out on $ext_if proto tcp all modulate state flags S/SA
(4) pass out on $ext_if proto { udp, icmp } all keep state

$int_if is the internal interface.
$ext_if is the external interface.

As I understand it, the rule (1) allows the internal network to communicate to 
the firewall and to the outside world.
Rule (2) lets the firewall talk to the internal network.
Rule (3) lets traffic going out (tcp), but pf is first going to use a high 
quality random sequence number for each connection.
Rule (4) lets protocols udp and icmp go out on the external interface.

Now the problem I see is:
from the pf.conf(5) man page:

"    There are two caveats associated with state modulation: A modulate state
     rule can not be applied to a pre-existing but unmodulated connection.
     Such an application would desynchronize TCP's strict sequencing between
     the two endpoints.  Instead, pf(4) will treat the modulate state modifier
     as a keep state modifier and the pre-existing connection will be inferred
     without the protection conferred by modulation."

So, here rule (1) is the first rule that sees the connections coming from the 
internal interface, and if you're doing NAT on the firewall, when your 
packets go out to the world using rule (3), they would not benefit from the 
modulate keyword. pf would treat the connection as a previously existing 
connection and then it wouldn't be able to apply the modulate keyword. 

I don't know if this is correct, I'm having doubts because I found this 
example on the "official" FAQ for PF. Can anyone help me please?


Mario